Skip to content
This repository has been archived by the owner on Sep 22, 2020. It is now read-only.

Support assume_role credentials for route53 dns_challenge #27

Closed
tdewitt opened this issue Jan 25, 2018 · 4 comments
Closed

Support assume_role credentials for route53 dns_challenge #27

tdewitt opened this issue Jan 25, 2018 · 4 comments

Comments

@tdewitt
Copy link

tdewitt commented Jan 25, 2018

The upstream AWS provider supports AWS role assumption. It would be nice for this to work with the route53 dns_challenge for the acme_certificate resource.

Reference: https://www.terraform.io/docs/providers/aws/#assume-role

@vancluever
Copy link
Owner

Hey @tdewitt, you've kind of encountered a bit of a quirk with how this provider works versus the AWS provider, and one of the reasons why hashicorp/terraform#7058 was never merged. Particularly, we are not necessarily doing anything other than passing off environment variables to one of lego's DNS providers.

However, I have been thinking about ways we could possibly tap into other provider's settings to make this kind of thing happen, which may or may not make this kind of thing possible. For now though, it's not.

Going to leave this one open until I have had enough time to do sufficient fact finding on it.

@tdewitt
Copy link
Author

tdewitt commented Jan 26, 2018

Understandable. I can probably Bad Hack my way around it but it would definitely be useful to have as part of the plugin. Nice work, regardless.

@kipkoan
Copy link

kipkoan commented Mar 3, 2018

@tdewitt - I was able to get it to work like this:

  dns_challenge {
    provider = "route53"

    config {
      AWS_PROFILE        = "${var.aws_profile}"
      AWS_DEFAULT_REGION = "${var.aws_region}"
    }
  }

Then use the ~/.aws/config to set up assume role: https://docs.aws.amazon.com/cli/latest/userguide/cli-roles.html

@vancluever
Copy link
Owner

I've been giving this more thought over the last couple of weeks and I haven't come up with any real easy way to hook into external Terraform providers without drastically breaking this provider's portability, hence I don't think this is going to be possible.

It should be said that when we sync this provider with lego at any particular point in time, the state of the DNS providers gets inherited too, including any improvements to the interface on those DNS providers. So ultimately, the best way to get this kind of support into the ACME provider would be requesting the functionality or making a pull request on xenolf/lego.

Sorry for the delay on a decision on this one!

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
Development

No branches or pull requests

3 participants